RE: [Cfrg] Re: [saag] Bad day at the hash function factory

[Russ Housley <housley at vigilsec.com>]

Alex:

> At 03:03 PM 8/26/2004 -0700, Scott Fluhrer wrote:
> > Actually, how WEP used it caused other significant weaknesses, even 
> > beyond what we found:
> > - Only 2^24 distinct keystreams.  This means that after (at best) 16 
> > million packets, you're reusing keystreams, even if RC4 had no related 
> > key weakness.
> > - No real packet authentication.  With WEP, this mean that if he collects 
> > an encrypted packet and guesses its contents, he can then spoof *any* 
> > packet (possibly limited to packets of the same length).
>
> I've always wanted a good, short hash for packet authentication.
> MD5 or SHA-1 are overkill for packets of 1518 bytes or less, that
> last only hundreds of milliseconds on a communications link.
>
> Maybe this is why WEP doesn't have it.

WEP used CRC-32 for integrity.  This choice was a very poor one, especially 
when used in conjunction with a stream cipher.

802.11i defines two alternatives:

1.  TKIP, which uses RC4 for encryption, defines a new integrity 
algorithm.  It is called Michael, and it provides about 30 bits of 
security.  Clearly, this is light-weight.  However, there was no way to do 
better with the existing hardware.

2.  CCMP, which uses AES-128, uses CBC-MAC.  Since this solution was not 
intended to run on existing hardware, a much stronger solution was possible.

Russ


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg